Solved

Upgrading DC from 2003 to 2008

Posted on 2010-11-18
9
450 Views
Last Modified: 2012-08-14
I am trying to upgrade my domain controller to Windows 2008 from Windows 2003. I stood up the new server and promoted it to a DC in the same domain and promoted it to a global catalog server. I also installed DNS and transferred the FSMO roles to the 2008 server. Everything seemed to be fine, Active Directory and DNS were replicating to the new server..
When I tried to demote the old server, I received a caution that there was no other Active Directory DC's in the forest. I then tried shutting off the old DC and all computers lost connection to the domain... I also noticed that when I bring up \\NEWDC my SYSVOL and NETLOGON shares are missing..
I have never had this problem on any other domain so I was hoping I could find answers here.. Any help would be greatly appreciated..
0
Comment
Question by:NavyIT
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34169989
It sounds like the new server never fully replicated.
Can you run
"netdom /quest fsmo" to see what server holds the fsmo roles
then run dcdiag on both DCs and post the results.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34170010
you mistyped on the FSMO command Ken....I know what you meant though...and it happens to all of us

netdom /query fsmo
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34170022
sorry about that, thanks Mike
0
 
LVL 76

Expert Comment

by:arnold
ID: 34170762
As others pointed out, if sysvol/netlogon are inaccessible, the replication did not complete.  Check to see whether there are errors that prevent the replication.
One the replication completes and it does not prevent the DC from serving the domain, you should make sure that the IP of the new DC is included in the DNS/Name server settings pushed from the DHCP.
0
 

Author Comment

by:NavyIT
ID: 34173371
The new DC holds the following FSMO roles: Schema Master, Domain naming master, PDC, RID pool manager, Infrastructure master

I had to sanitize the dcdiag b/c this DC is on a classified network..
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\DC.domain, when we were trying to reach DC1.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... DC1 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC1 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=(removed),DC=(removed),DC=(removed),DC=(removed),DC=(removed)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=(removed),DC=(removed),DC=(removed),DC=(removed),DC=(removed)
         ......................... DC1 failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DC1\netlogon)
         [DC1] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DC1 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC1 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC1 passed test Replications
      Starting test: RidManager
         ......................... DC1 passed test RidManager
      Starting test: Services
         ......................... DC1 passed test Services
      Starting test: SystemLog
         An Warning Event occurred.  EventID: 0x80009008
            Time Generated: 11/19/2010   05:55:05
            Event String:
            No suitable default server credential exists on this system. This wi
ll prevent server applications that expect to make use of the system default cre
dentials from accepting SSL connections. An example of such an application is th
e directory server. Applications that manage their own credentials, such as the
internet information server, are not affected by this.
         An Warning Event occurred.  EventID: 0x8000A008
            Time Generated: 11/19/2010   06:09:07
            Event String:
            The Security System has received an authentication request that coul
d not be decoded. The request has failed.
         An Error Event occurred.  EventID: 0x80000017
            Time Generated: 11/19/2010   06:14:25
            Event String:
            The KDC received invalid messages of type changepassword.
         ......................... DC1 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC1 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : (Domain)
      Starting test: CheckSDRefDom
         ......................... (Domain) passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... (Domain) passed test CrossRefValidation

   Running enterprise tests on : (FQDN)
      Starting test: LocatorCheck
         ......................... (FQDN) passed test
         LocatorCheck
      Starting test: Intersite
         ......................... (FQDN) passed test
         Intersite
0
 
LVL 76

Expert Comment

by:arnold
ID: 34173750
Depending on what limitation and how much data needs to be replicated it seems it time should get the replication done.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23337964.html

The computer machine password does not match, you may need to make sure it is correct on the new DC
http://support.microsoft.com/kb/325850

It seems that you transferred the roles soon after the new DC joined the domain?
Not sure whether it would be better to transfer the roles back to the windows 2003 system and let the data replicate. (make sure you have a current system state backup.)

http://www.petri.co.il/forums/showthread.php?t=24776
0
 

Accepted Solution

by:
NavyIT earned 0 total points
ID: 34188611
Thank you for all your help. The problem turned out to be a registry setting..
I set Burflags in
HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
to D4; Reset the Netlogon and NTFRS services; and the NETLOGON and SYSVOL shares showed up..

AD is replicating and I have no errors..
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34824938
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Join & Write a Comment

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now